Sign in Subscribe

Physical security

BryanZhang

2 min read

Side channel analysis is a non-invasive attack which involves an attacker analyzing power signature or Electro Magnetic radiation emanating from an IC with the aim of extracting sensitive information such as secret keys.

tamper attack is an invasive attack where an adversary will physically tamper the IC with the objective of gathering sensitive information present in the metal wires using micro probes. An adversary might even try to alter the circuit behavior by overdriving the state of the IC.

Fault injection attacks or Perturbation attacks occur when an adversary induces a faulty behavior in a system with the intention of taking advantage of these faults to compromise the security. there are several methods to induce faults. some of the prominent ones are discussed below. Fault injection attacks can be both invasive and non-invasive in nature.

Optical, ElectroMagnetic Fault Injection (EMFI), Body Bias Injection (BBI) are types of perturbation attacks that aim to inject faults into a device by means of projecting lasers, Electro Magnetic fault injection and biasing the body. An adversary will try to exploit the faulty behavior to compromise the security of the system.

Power/Clock/Reset glitching attacks occur when an adversary tries to introduce glitches in the power supply, clock network or the Rest network of an IC. The objective go an attacker in this case is to induce faulty behavior that can be exploited to compromise the security.

Frequency/Voltage tampering are attacks in which an adversary will change the operating conditions of an IC. They can try to tamper the level of power supply, or change the clock frequency of an IC. The objective of the attacker in this case is to induce faulty behavior that can be exploited to compromise the security.

Temperature attacks involve an adversary changing the operating environment by changing the temperature of operation for an IC. The objective of an attacker in this case is to induce faulty behavior that can be exploited to compromise the security.

SCA Types

Timing Based

Gathering information based on timing differences in execution

Observes & exploits micro-architectural changes during execution (e.g: cache line evictions)

Viable side channel is established

Trace Based

Requires physical proximity to the victim machine

Exploits changes in power draw, electromagnetic emanations etc

Continuous monitoring of these parameters leaks information

Access Based

Depends on access to the victim machine

Exploits shared resources between attacker and victim

More pronounced in multi-core systems

Countermeasure

      Uniform   Timing               Time  constant program execution        

Cache   Address Scrambling and Random Line Invalidation      Memory   access                                                                                                                    scrambling        

Random   Instruction Insertion          On-the-fly   program flow                                                                                               randomization        

Bus,   Register Bank and ALU Polarity       On-the-fly   logic level inversion        Cache,   Bus and Register Data Masking      Obfuscation   of data and program in the processor        Register   Bank Renaming      On-the-fly   CPU resource swapping        Parity   in the processor, bus,     and cache      Logic   redundancy to protect key                         functionalities        

Lockstep                 Integer  Core Duplication        

Security   monitor bus           Internal   signal monitoring  

Sign up for more like this.

Enter your email
Subscribe